marco/plugin-barman-cloud
1
0
Fork 0
mirror of https://github.com/cloudnative-pg/plugin-barman-cloud.git synced 2026-01-11 13:23:09 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: controller and sidecar containers run as non-root (#225)

Browse Source 
Closes #177

Signed-off-by: Jonathan Battiato <jonathan.battiato@enterprisedb.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
This commit is contained in:
Jonathan Battiato 2025-03-23 17:00:52 +01:00 committed by GitHub
parent a7ef56b6e7
commit 5788c1f727
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
internal/cnpgi/operator/lifecycle.go
View File

@ -299,6 +299,18 @@ func reconcilePodSpec(
sidecarConfig.Image = viper.GetString("sidecar-image") sidecarConfig.Image = viper.GetString("sidecar-image")
sidecarConfig.ImagePullPolicy = cluster.Spec.ImagePullPolicy sidecarConfig.ImagePullPolicy = cluster.Spec.ImagePullPolicy
sidecarConfig.StartupProbe = baseProbe.DeepCopy() sidecarConfig.StartupProbe = baseProbe.DeepCopy()
sidecarConfig.SecurityContext = &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(false),
RunAsNonRoot: ptr.To(true),
Privileged: ptr.To(false),
ReadOnlyRootFilesystem: ptr.To(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
}
// merge the main container envs if they aren't already set // merge the main container envs if they aren't already set
for _, container := range spec.Containers { for _, container := range spec.Containers {

14
kubernetes/deployment.yaml
View File

@ -16,6 +16,10 @@ spec:
labels: labels:
app: barman-cloud app: barman-cloud
spec: spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: plugin-barman-cloud serviceAccountName: plugin-barman-cloud
containers: containers:
- image: plugin-barman-cloud:latest - image: plugin-barman-cloud:latest
@ -48,6 +52,16 @@ spec:
- mountPath: /client - mountPath: /client
name: client name: client
resources: {} resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsUser: 10001
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- name: server - name: server
secret: secret:

14
manifest.yaml
View File

@ -871,11 +871,25 @@ spec:
tcpSocket: tcpSocket:
port: 9090 port: 9090
resources: {} resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10001
runAsUser: 10001
seccompProfile:
type: RuntimeDefault
volumeMounts: volumeMounts:
- mountPath: /server - mountPath: /server
name: server name: server
- mountPath: /client - mountPath: /client
name: client name: client
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: plugin-barman-cloud serviceAccountName: plugin-barman-cloud
volumes: volumes:
- name: server - name: server